sabsa implementation(part vi)_ver1-0
TRANSCRIPT
SABSA Implementation
Generic Approach
PART VI
TIME & PERFORMANCEMANAGEMENT CONCEPTS
Scope: Strategy & Planning Phase -Time
Lifecycle Alignment – Demming to SABSA
Architecture Strategy & Planning Phase
Architecture Design Phase
Implementation Phase & Approach
• Implementation is an important part of the lifecycle but the SABSA Matrix does not define a specific implementation layer– No need to re-invent Prince2 or PMI etc.
• Notoriously difficult to gain business support and budget for pure infrastructure projects
• Rare that a major strategic enterprise-wide security architecture is implemented as a single project
• More likely (and more sensible) is that the architecture provides a blue-print and a road-map that guides a whole series of separate implementation projects, each of which is driven by a specific business initiative and funded by a budget associated with that initiative
Manage & Measure Phase – Lifecycle Overlay
• SABSA Architecture traceably abstracts from pure Business Context to:– Pure technical deployment in the Component layer– Pure management in the Service Management layer
• The Service Management layer defines all aspects of security management and constructs the means to manage and incorporate change by being presented vertically across the other layers:– Strategy (Context & Concept Layers)– Tactics (Logical, Physical, & Component Layers)– Operations (Security Service Management Matrix)
Manage & Measure Phase – SSM Matrix
SABSA Development Process
SABSA Risk Management Process Overview
Risk Management and the SABSA Matrix
SABSA Risk Management Activities
SABSA Lifecycle Domain Risk Perspectives
Process Improvement Framework –SABSA Maturity Profile (SMP)
• Coordinates SABSA process information from all parts of the business– Demonstrates due diligence to senior management, auditors and regulators
• Based on Capability Maturity Modelling (CMM) concepts– Qualitative measurement technique for maturity of processes– Six domains mapped onto the SABSA Matrix– Consistent, objective 5-point maturity scale
• Identifies, measures and reports compliance practices– Against the SABSA framework, model and processes– Provides a gap analysis to drive a SABSA improvement programme
• Can be implemented through a web-enabled tool for– Ease of use, wide involvement, quick responses
• Regular use tracks progress and measures changes– Benchmarking against target maturity
SABSA Maturity Profile Process Areas
SMP Process Areas and SMP Process Activities
• Each of the six SMP domains is decomposed into six SMP Process Areas
• These SMP Process Areas map onto the six cells of the row of the SABSA
• Matrix corresponding to the particular SMP domain
• The SMP Process Activities are then derived by overlaying the SABSA
• Service Management Matrix onto the SMP Process Areas
SMP Maturity Levels
SMP Generic Practices
Performance Management Framework
Defining Business-driven Performance Targets
Architecture Measurement Categories
• Completeness– Do we have all of the
components?– Do they form an integrated
system?
• Assurance– Does the system run
smoothly?– Are we assured that it is
properly assembled?– Is the system fit-for-purpose?
• Compliance– Do we maintain the system?
– Do we follow the architecture roadmap
– Do we comply with the rules?
• Performance– Is the system properly tuned?– Do the components work
together?– Do we operate the system
correctly?
• Justification & significance– Does the system have
business value?
Measurement Approaches
• High level statements of the approach to obtaining a measurement
• Appropriate to the business need
• In the language of the intended audience
• Culturally specific
Measurement Guidelines
• Measurement should be a repeatable process (for comparison & prediction)
• Measurement should have a clear communications role
• Tracking performance
• Assigning resources
• Measurement should yield quantifiable metrics (percentage, average, numbers, values, etc.)
Metrics Guidelines
• Data used to calculate metrics should be readily obtainable
• Metrics may (should) be calculated independently of parties with vested interest
• The type of metric used may change in line with the maturity of the security process e.g. when you are highly compliant, consider changing from conformance measure to significance measure
• Performance metric / trend should be tested prior to going ‘live’
• Expectations management is key
Types of Metric
• Soft Metrics– Usually qualitative
– Subjective
– Open to interpretation and opinion (usually of the authority setting the target or of an official compliance agent such as a regulator or auditor)
• Hard Metrics– Usually quantitative
– Objective
– Fixed, not open to opinion or interpretation
Types of Metric
• Descriptive– Describes the current-state of the object / attribute
being measured
• Comparative– Describes the current-state of the object / attribute
being measured in comparison with a similar object / attribute relating to a different place and/or time
• Predictive– Describes the current-state of the object / attribute
being measured in relation to its trend in order to project and predict afuture state
Conceptual Measures & Metrics Framework
SABSA Vitality Framework
END OF PART VI